Sometimes I imagine: My money in the bank is just a floating point number in a mainframe's memory... So, if I just change 1 bit, I will win a lot of money...

The most common way to steal money in banks today is to just ask people for their account information and credentials, through fake e-mails or websites. However, this would seem to leave a fairly high chance of being identified if the victim catches on.

Alternatively, are there more anonymous ways by which one might steal money directly from the bank's servers? Or, is this virtually impossible to the point that the only real weakness lies in the customers?

Is a hack like this only possible in Hollywood movies, or can it really be done in reality? Are there any known cases of this already having happened.

IMHO anything is possible, their systems are built by men, anything built by men will most likely have errors, identify the errors and you're golden. Alternatively, 4 buses, a few RPGs and 20+ people scattered all over a country can drawn quite a few ATM's in a very short amount of time, authorities would be frozen. The beginning of Swordfish(the movie, hacking is pretty lame, but the idea is very good) shows how "easy" some things can be if done "right". NOTE: I don't encourage any of this.
–
ComputerSaysNoDec 22 '12 at 20:31

1

As an aside: floating point numbers should never be used to represent money. Money in real life is broken down into decimals (in base 10) that can't be represented exactly in base 2. This introduces rounding errors appear into your calculations that you don't want to deal with. You should do exact math using say a Decimal object or using integers (representing pennies) to remove this uncertainty.
–
dr jimbobMar 2 '13 at 5:52

It's less likely an "Office Space" like attack will occur, there is a better chance of money being deposited into the wrong account and potentially not being fixed. Also, typically in an accounting type system you keep a running total, e.g., your row would be |transacid|change|balance| so you could follow from row to row and do an integrity check, they don't just store your current balance where you can switch one bit.
–
Eric GMar 2 '13 at 6:18

8 Answers
8

Each transaction needs an audit trail - numbers need to come from somewhere - and bank systems have these checks in place. Are they perfect? Almost, but enough to make it easier to look for other attack vectors, like humans.

Did I mention that I was in jail in a far away country and I need you to wire me money for bail?

Make a wire or ACH transfer to another bank. Withdraw that money from the other bank. If you're of the go big or go home mentality, run that money to a lot of other banks. Taking in a big wire transfer and immediately sending it back out might look suspicious to the receiving bank if it's the only transaction, but receiving a big transfer and sending maybe 20% of it out would seem normal. Also, embedding the transfer into some other account that is normally highly active would also be helpful.

Remember, it's not yours until it's cash. Wire transfers can be reversed, so you need to make the withdrawal or get it so far gone and laundered that it isn't coming back.

Banks use a lot of security, but sure - you still have smart, well paid criminals who will try and find misconfigurations, weaknesses, vulnerabilities or loopholes as it is less physically risky to try to steal money over the Internet than to hold up a bank with a gun.

Still reasonable odds of getting caught if you pull off a big one - see this FBI article on the Worldpay heist arrests. The clever bit of this job was using a large gang of people withdrawing up to the maximum on cards at locations all over the world simultaneously.

There is always a possibility, but especially with banks it's close to impossible. There have been cases of banks being hacked.

There are a number of measures in place to prevent this. On the other hand if you look around there are still a number of banks using basic input authentication methods that are rather easy to obtain through social engineering or sniffing (recent topic).

There are probably even more cases than admitted, banks do not really want to be known as insecure.

Maybe something else you might fancy is a recent article about how one could exploit stock exchanges by abusing latencies.

sadly, for banks, "close to impossible" merely indicates a very low probability of success - which when combined with a very high number of attackers means banks have to plan for cash losses through IT fraud and attacks that to you or I would seem frighteningly high!
–
Rory Alsop♦Mar 29 '12 at 8:30

The most common way to steal money from a bank is probably still wire fraud and in person robberies. It would be difficult to steal money directly from the bank, more likely the attack would be against individual accounts. People still commit frauds like check kiting.

Most cyber attacks are carried out by professional criminals using a number of mules to funnel the money. This is typically a well organized group or syndicate. By utilizing mules, the criminal organization can put the fall on the mule and escape with the money. Check out some of the articles from Krebs on Security.

If money is illicitly wired out of your account, you have a good amount of protection under Regulation E in the US. And in many cases, the transaction will be reversed. The bank may also reimburse you without taking the effort to recover the money if its actually cheaper considering time and effort and your value to the bank.

Banks do in fact keep regular audit trails, monitor account activity, etc. Many smaller banks to not allow external transfers for regular individual customers through their Internet banking or require special authorization. Most banks are not implementing two-factor authentication for logon and before each transaction for commercial accounts and/or large transfers. Banks can monitor for unusual activity and respond to suspected fraud. Many banks also offer account activity alerts the individual can use to start a fraud investigation.

It would be possible to attack the banks internal applications, but those would still typically be attacks against customer accounts in most cases, not "the bank's money". Internal applications should also have controls in place to detect fraud or irregular activity. Most of a bank's applications are going to deal with the customer's money.

All the banks I've worked with have an extreme amount of security surrounding the "mainframes" you are referencing. They are only accessible via device 'x' (locked down in some basement with no outside access, etc). All transactions go via proxies and multi-layered FW/IPS architectures. It's not impossible, but it's anything but easy

Edit:: Not to mention the endpoint security on the actual servers themselves. Gaining access to them may not even be the biggest problem (SSH key only logins etc).

First off that's not stealing money from the bank it's more like printing your own cash.

Technically it is possible to make money that way however only the central banks to do this so you'd need to have access to their systems to allocate currency to a commercial bank and then further allocate that to yourself. You'd also have to bypass the audit trail in the bank's systems and the heuristics which would flag up any large sudden windfall.

If you want to rob a bank account the best method remains transferring to a holding account and then to an e-gold service, finally forwarding to a collector account where a designated collector (hired on commission not the actual person stealing the cash) empties the account in cash.

Any straight bit flip would instantly be picked up by the auditing heuristics programs as any unexpected change in a balance or transfer will be flagged whether legitimate or not.

Some years ago a JavaScript code was injected into the website of a bank. It was silent and it just kept collecting credentials. People then used those credentials to steal money from the bank with a minimum effort, compared to hacking down to the core of the system.

The problem is that systems are circular. Where the beginning of the circle meets the returning line there exists a weak link. What is hard is correctly identifying the weak link and exploiting it.